Tuesday, December 11, 2007

It has been announced that Skype has remedied a critical security hole in version 3.6 of its VoIP software for Windows, released in mid November 2007.

When a specially crafted website is visited, attackers are able to inject malicious code onto a PC and execute it with the user's privileges. It would then be possible to infect the computer with contaminants.

The Zero Day Initiative says there was a flaw in the URI handler skype4com, which is created when Skype is installed. Short strings can then be used to provoke a memory violation in this handler, allowing code to be written into memory.

It is not clear whether this flaw entered the software with the update for the URI hole that was made public just prior to this update. But it is clear that Skype has once again closed critical holes furtively without informing users at all.

The last security advice published by Skype is dated 3 October, 2006. Users who still have an older version of Skype should install the latest version as soon as possible. Generally, the software informs users that a new major update has been released. The software reportedly also informs users about security releases, but Skype first has to declare them as such.